Bug 2151806
| Summary: | systemd-timesyncd fails to start with a SELinux denial | |||
|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Juan Orti <jorti> | |
| Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> | |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | |
| Severity: | high | Docs Contact: | ||
| Priority: | medium | |||
| Version: | 37 | CC: | dollierp, dustymabe, dwalsh, lioh, lvrabec, mmalik, omosnacek, pkoncity, vmojzis, zpytela | |
| Target Milestone: | --- | Keywords: | Triaged | |
| Target Release: | --- | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | selinux-policy-37.17-1.fc37 | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 2217509 (view as bug list) | Environment: | ||
| Last Closed: | 2022-12-27 01:12:52 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 2217509 | |||
Juan, I am unable to reproduce the problem. Do you know what are the triggering conditions? $ rpm -q systemd selinux-policy systemd-251.8-586.fc37.x86_64 selinux-policy-37.15-1.fc37.noarch Hi Zdenek,
The bug description is from a Raspberry Pi 4 running FCOS 37.20221106.3.0 in the stable stream.
I've tested it again in a x86_64 VM using the next stream and the issue is reproducible just by starting systemd-timesyncd.
Packages:
selinux-policy-37.14-1.fc37.noarch
systemd-251.8-586.fc37.x86_64
~~~
# rpm-ostree status
State: idle
AutomaticUpdatesDriver: Zincati
DriverState: active; periodically polling for updates (last checked Thu 2022-12-08 13:59:43 UTC)
Deployments:
● fedora:fedora/x86_64/coreos/next
Version: 37.20221127.1.0 (2022-11-28T10:24:58Z)
BaseCommit: e051d49946dd7685ed1fa52c924506fc997958fd002ab39f9b131d0c45b72bb0
GPGSignature: Valid signature by ACB5EE4E831C74BB7C168D27F55AD3FB5323552A
LayeredPackages: borgbackup borgmatic podman-compose qemu-guest-agent vim
~~~
~~~
# journalctl -b --no-hostname
Dec 08 13:57:56 systemd[1]: Starting systemd-timesyncd.service - Network Time Synchronization...
Dec 08 13:57:56 audit[830]: AVC avc: denied { watch } for pid=830 comm="systemd-timesyn" path="/run/systemd" dev="tmpfs" ino=2 scontext=system_u:system_r:systemd_timedated_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=dir permissive=0
Dec 08 13:57:56 audit[830]: SYSCALL arch=c000003e syscall=254 success=no exit=-13 a0=a a1=7f2dfa0b83de a2=40000100 a3=7ffe22e9338c items=0 ppid=1 pid=830 auid=4294967295 uid=993 gid=991 euid=993 suid=993 fsuid=993 egid=991 sgid=991 fsgid=991 tty=(none) ses=4294967295 comm="systemd-timesyn" exe="/usr/lib/systemd/systemd-timesyncd" subj=system_u:system_r:systemd_timedated_t:s0 key=(null)
Dec 08 13:57:56 audit: PROCTITLE proctitle="/usr/lib/systemd/systemd-timesyncd"
Dec 08 13:57:56 systemd-timesyncd[830]: Failed to allocate manager: Permission denied
Dec 08 13:57:56 systemd[1]: systemd-timesyncd.service: Main process exited, code=exited, status=1/FAILURE
Dec 08 13:57:56 systemd[1]: systemd-timesyncd.service: Failed with result 'exit-code'.
Dec 08 13:57:56 systemd[1]: Failed to start systemd-timesyncd.service - Network Time Synchronization.
Dec 08 13:57:56 audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-timesyncd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'
Dec 08 13:57:56 systemd[1]: systemd-timesyncd.service: Scheduled restart job, restart counter is at 1.
Dec 08 13:57:56 systemd[1]: Stopped systemd-timesyncd.service - Network Time Synchronization.
~~~
~~~
# ls -laZ /run/systemd
total 0
drwxr-xr-x. 24 root root system_u:object_r:init_var_run_t:s0 600 Dec 8 14:07 .
drwxr-xr-x. 42 root root system_u:object_r:var_run_t:s0 1140 Dec 8 14:07 ..
drwxr-xr-x. 2 root root system_u:object_r:systemd_passwd_var_run_t:s0 40 Dec 8 13:57 ask-password
drwx------. 2 root root unconfined_u:object_r:systemd_passwd_var_run_t:s0 60 Dec 8 13:59 ask-password-block
srw-------. 1 root root system_u:object_r:init_var_run_t:s0 0 Dec 8 13:57 coredump
drwxr-xr-x. 2 root root system_u:object_r:init_var_run_t:s0 40 Dec 8 14:04 dynamic-uid
drwxr-xr-x. 8 root root system_u:object_r:systemd_unit_file_t:s0 220 Dec 8 13:57 generator
drwxr-xr-x. 2 root root system_u:object_r:init_var_run_t:s0 60 Dec 8 13:57 home
drwxr-xr-x. 3 root root system_u:object_r:init_var_run_t:s0 160 Dec 8 13:57 inaccessible
drwxr-xr-x. 2 root root system_u:object_r:init_var_run_t:s0 40 Dec 8 13:57 incoming
drwxr-xr-x. 2 root root system_u:object_r:systemd_logind_inhibit_var_run_t:s0 80 Dec 8 13:57 inhibit
srw-rw-rw-. 1 root root system_u:object_r:init_var_run_t:s0 0 Dec 8 13:57 io.system.ManagedOOM
drwxr-xr-x. 3 root root system_u:object_r:syslogd_var_run_t:s0 180 Dec 8 13:57 journal
drwxr-xr-x. 2 root root system_u:object_r:systemd_machined_var_run_t:s0 40 Dec 8 13:57 machines
drwxr-xr-x. 2 root root system_u:object_r:net_conf_t:s0 40 Dec 8 13:57 network
srwxrwxrwx. 1 root root system_u:object_r:init_var_run_t:s0 0 Dec 8 13:57 notify
srwx------. 1 root root system_u:object_r:init_var_run_t:s0 0 Dec 8 13:57 private
drw-------. 13 root root system_u:object_r:init_var_run_t:s0 260 Dec 8 14:07 propagate
drwxr-xr-x. 3 systemd-resolve systemd-resolve system_u:object_r:systemd_resolved_var_run_t:s0 120 Dec 8 14:07 resolve
drwxr-xr-x. 2 root root system_u:object_r:systemd_logind_var_run_t:s0 60 Dec 8 13:57 seats
drwxr-xr-x. 2 root root system_u:object_r:systemd_logind_sessions_t:s0 80 Dec 8 13:59 sessions
-rw-r--r--. 1 root root system_u:object_r:init_var_run_t:s0 0 Dec 8 13:57 show-status
drwxr-xr-x. 2 root root system_u:object_r:systemd_logind_var_run_t:s0 40 Dec 8 13:57 shutdown
drwxr-xr-x. 2 root root system_u:object_r:systemd_unit_file_t:s0 40 Dec 8 13:57 system
-r--r--r--. 1 root root system_u:object_r:init_var_run_t:s0 0 Dec 8 13:57 systemd-units-load
drwxr-xr-x. 2 root root system_u:object_r:systemd_unit_file_t:s0 100 Dec 8 13:59 transient
drwx------. 2 root root system_u:object_r:init_var_run_t:s0 40 Dec 8 13:57 unit-root
drwxr-xr-x. 2 root root system_u:object_r:systemd_unit_file_t:s0 1320 Dec 8 14:07 units
drwxr-xr-x. 2 root root system_u:object_r:systemd_userdbd_runtime_t:s0 140 Dec 8 13:57 userdb
drwxr-xr-x. 2 root root system_u:object_r:systemd_logind_var_run_t:s0 80 Dec 8 13:59 users
~~~
Thank you, so this probably reproduces only on an ostree system. Opened an FCOS issue tracker issue for this too: https://github.com/coreos/fedora-coreos-tracker/issues/1359 (In reply to Zdenek Pytela from comment #3) > Thank you, so this probably reproduces only on an ostree system. Hey Zdenek. This appears to be true, but do you know why it's specific to only ostree systems? I'm not sure how the PR fix here is special only for OSTree. I am not aware of any manageable way of having separate policy for ostree, so this will be added to selinux-policy in the next build. Right. I'm just trying to understand why I can reproduce this on an OSTree system, but not on a non-OSTree system. I'm happy with the fix, just trying to uderstand the problem space a bit better. I'm facing the exact same issue on my Fedora 37 box (not FCOS). FEDORA-2022-fc84e3e4d5 has been submitted as an update to Fedora 37. https://bodhi.fedoraproject.org/updates/FEDORA-2022-fc84e3e4d5 FEDORA-2022-fc84e3e4d5 has been pushed to the Fedora 37 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2022-fc84e3e4d5` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-fc84e3e4d5 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2022-fc84e3e4d5 has been pushed to the Fedora 37 stable repository. If problem still persists, please make note of it in this bug report. This issue is also present on EL9. |
Description of problem: After upgrading to Fedora CoreOS 37, systemd-timesyncd fails to start with a SELinux denial. Version-Release number of selected component (if applicable): selinux-policy-37.12-2.fc37.noarch systemd-udev-251.7-611.fc37.aarch64 Fedora CoreOS 37.20221106.3.0 How reproducible: Always Steps to Reproduce: 1. systemctl start systemd-timesyncd Actual results: Dec 08 06:43:24 systemd[1]: Starting systemd-timesyncd.service - Network Time Synchronization... Dec 08 06:43:24 audit[7055]: AVC avc: denied { watch } for pid=7055 comm="systemd-timesyn" path="/run/systemd" dev="tmpfs" ino=2 scontext=system_u:system_r:systemd_timedated_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=dir permissive=0 Dec 08 06:43:24 systemd-timesyncd[7055]: Failed to allocate manager: Permission denied Dec 08 06:43:24 systemd[1]: systemd-timesyncd.service: Main process exited, code=exited, status=1/FAILURE Dec 08 06:43:24 systemd[1]: systemd-timesyncd.service: Failed with result 'exit-code'. Expected results: Service started Additional info: